The black paper of quantum cryptography: real implementation problems 
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The fact that the laws of physics play a role in the security of quantum key distribution (QKD) 
has often been misunderstood, as if the security of QKD would be based only of the laws of physics. 
The history of practical QKD demonstrates how misleading such a stance may be. An assessment 
of the latest developments shows that no threat seems unredeemable (in principle, QKD can be 
made secure) but that any specific implementation will always include some elements of trust. This 
leads us to guess that the field is going to split in two directions: those who pursue really practical 
devices may have to moderate their security claims; those who pursue ultimate security may have 
to suspend their claims of usefulness. 



I. INTRODUCTION 

In their seminal 1984 paper Bennett and Bras- 
sard argued that some basic laws of physics may 
prove useful in cryptographic tasks. They consid- 
ered first the task of key distribution between distant 
partners and noticed that quantum signals are ideal 
trusted couriers: if the eavesdropper Eve tries to 
obtain some information, her action cannot remain 
concealed, because measurement modifies the state 
or, equivalently, because of the no-cloning theorem. 
In the second part of their paper, they turned to the 
task of bit-commitment and proposed a quantum so- 
lution relying on entanglement. In 1991, Ekcrt in- 
dependently re-discovered quantum key distribution 
0: his intuition was based on entanglement, more 
specifically on Bell's inequalities. 
The fact that security is based on physical laws lead 
to the hope that quantum cryptography may pro- 
vide the highest possible level of security, namely 
security against an adversary with unrestricted com- 
putational power; in the jargon, unconditional secu- 
rity. Further research vindicated only one of the 
two conjectures of Bennett and Brassard: key dis- 
tribution can indeed be made unconditionally secure 
[1, 0, 01 ) while bit commitment cannot Q . Most of 
the subsequent developments in quantum cryptog- 
raphy have therefore been devoted to quantum key 
distribution (QKD); several review papers are avail- 
able 0,&ili3. 



II. QUANTUM SIGNALS AS 
INCORRUPTIBLE COURIERS 

Even before unconditional security was technically 
proved, "security based on the laws of physics" be- 
came the selling slogan of QKD. It's catchy, and 
it can be understood correctly — but it may also 
be understood wrongly and has often been explic- 
itly spelled out as "security based only on the laws 
of physics" . Of course, a pause of reflection shows 
that the statement cannot possibly be as strong as 
that. For instance, the laws of physics do not pre- 



vent someone from reading the outcomes of a de- 
tector; however, if the adversary has access to that 
information, security is clearly compromised! But 
many people were just carried away by the power of 
the slogan — fair enough, this does not happen only 
with QKD. 

On the wings of enthusiasm, some promoters of 
QKD also managed to convey the impression that 
they were presenting the solution for (almost) ev- 
ery task of secret communication. This may have 
impressed some sponsors. However, the main result 
was to alienate a great part of the community of ex- 
perts in classical cryptography, who, unfamiliar with 
quantum physics though they may be, could not fail 
to spot the overstatement. Fortunately, not all dia- 
log was broken, and both the interest and the niche 
character of QKD are peacefully admitted today. 
In fact, the understanding of the niche character 
of QKD immediately clarifies the role of the laws 
of physics as wefl. The SECOQC White Paper of 
2007 [ll| convincingly argued that QKD is a form 
of "trusted courier" i.e. a potential solution only 
for those tasks, for which a trusted courier may be 
useful. With human couriers, we are fairly famil- 
iar. Suppose Alice creates a one-time pad key on 
her computer, burn it on a DVD and entrust to a 
human courier Charlie the task of bringing it to Bob. 
Alice should be confident that 

(i) her computer and Bob's are not leaking infor- 
mation, by themselves of through active hack- 
ing; 

(ii) Charlie is honest at the moment of receiving 
the key from Alice; 

(iii) Charlie will not be corrupted during his travel 
from Alice to Bob. 

Replacing Charlie with quantum couriers, one does 
not have to worry about (iii) anymore: the laws of 
physics guarantee it; but they don't guarantee (i) and 
(ii). Indeed, it's pretty obvious that (i) must be 
enforced also for QKD. As for (ii), a "dishonest" 
quantum courier would be a quantum signal whose 
state has not been accurately characterized. 
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Still, one may think that the danger of (i) and (ii) 
does not extend beyond caricature examples: "Sure 
enough, if Eve can see Alice through a window...; 
sure enough, if the source produces always two pho- 
tons instead of one... But one can easily check for 
such blunders" . Unfortunately, exactly the opposite 
is the case: blunders affecting the security through 
failures of (i) or (ii) may be numerous and very 
subtle; most of the recent developments in practi- 
cal QKD have to do with those concerns, as we are 
going to show in the next Section. 



III. ALL THAT THE LAWS OF PHYSICS 
DON'T TAKE CARE OF 

A. Problems at preparation 

We begin by examining the need for a careful assess- 
ment of the properties of the courier. Here is a list 
of examples. Note that most of them refer to im- 
plementations with weak coherent pulses: probably 
not because they are much worse than others, but 
because they have been scrutinized more thoroughly. 

1. Problem: attenuated laser pulses are not single 
photons, multi-photon components are impor- 
tant ■ Solutions: adapt the security proofs 
to take the effect into account [11], or change 
the protocol [13, [iBl or of course change the 
source. 

2. Problem: successive pulses emitted by a laser 
are generally not independent, they may have 
phase coherence [l6j . Solution: adapt the se- 
curity proofs (not done at the moment of writ- 
ing) or actively randomize the phase. 

3. Problem: in the so-called "plug-and-play" im- 
plementations (the ones chosen for several 
commercial setups), photons do a round trip: 
Alice's device must receive light, code it and 
resend it But then, one must assume 
that the photons that enter Alice's lab might 
have been prepared by Eve [3] ■ Solution: add 
attenuation and active phase randomization, 
then use a suitable security proof [19]. 

4. Problem: in continuous-variables QKD, if the 
local oscillator travels between Alice and Bob, 
the implementation is completely insecure un- 
less Bob monitors the intensity |20| . Solution: 
add a beam-splitter and monitor the intensity. 

5. Problem: in some implementations, the differ- 
ent letters of the QKD alphabet are prepared 
by different light sources |21| . Each source may 
have its own fingerprint: for instance, even if 
coding is supposed to be in polarization, differ- 
ent sources may have different spectra. Also, 



minor initial or temperature-dependent differ- 
ences in the electric driving circuitry of each 
source may go undetected in normal operation 
or assembly of the setup, but certainly leave 
a temporal fingerprint in the transmitted sig- 
nal. Solution: no miracle solution exists, one 
has to characterize the sources and bound the 
possible leakage of information. 

B. Problems at detection 

Let us now review some examples of the problems 
at the level of detection. One such problem (ad- 
mittedly, an anecdotal one) was stressed in the very 
first demonstration experiment presented by Ben- 
nett and coworkers |^]: the Pockels cells used to 
select the bases were driven by high-voltage devices, 
which made an audible sound depending on the ba- 
sis or letter selection. Someone said that the de- 
vice provided "unconditional security against a deaf 
eavesdropper": a joke... or a prophetic insight in the 
fate of practical QKD? 

1. Problem: an example of leakage of classical in- 
formation explores parasitic properties of de- 
tectors. It is known that, upon detection, Sil- 
icon avalanche photodetectors emit light due 
to hot carrier recombination. This light may 
leak out through the optical channel, revealing 
which detector has fired Solution: other 
photo-diodes have been tested and no such 
back-flashing was detected (of course, these 
studies rely on the assumption that the de- 
vices used to probe for such radiation capture 
any sensibly accessible wavelength range). 

2. Problem: in "plug-and-play" systems, as men- 
tioned, Ahce's device is open to receive pho- 
tons, before coding and resending them. The 
eavesdropper may implement a Trojan horse 
attack to probe Alice's phase modulator: send 
in light (say at a different wavelength) and 
collect it back, coded. Solution: because the 
setup involves attenuators, the additional light 
that is sent in should be quite intense; a pro- 
portional detector is then added at the en- 
trance of the setup, which should detect un- 
usually strong signals [2^ . 

3. Problem: light fields ('faked states') can be 
generated which force at least some of the com- 
mon detectors to produce outcomes resembling 
those corresponding to the detection of sin- 
gle photons [255. This may be exploited to 
implement something similar to a man-in-the- 
middle attack. Solution: depends on the de- 
tails of the implementation. 

4. Problem: photodetectors may also be manip- 
ulated to change their timing behaviour [2y], 
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such that the detection time is partly corre- 
lated with the detection outcome. An exper- 
imental evaluation of this leakage channel be- 
came known as the time-shift attack [27|. So- 
lution: check that all the detectors have the 
same timing statistics. 

5. Problem: in a similar fashion, communication 
of detection times (necessary in any scenario 
with a lossy communication channel) with a 
too high accuracy may reveal substantial in- 
formation about the measurement results, just 
due imbalanced electronic delays and/or detec- 
tor parameter scatter Solution: do not 
reveal too many digits of your detection times. 



C. A balance 

Just as in every field, there have been sheer mis- 
takes in practical QKD: using an inadequate secu- 
rity bound (see below), neglecting to authenticate 
the classical channel, and the like. The problems 
reviewed above, however, do not belong to that cat- 
egory: each of them has been the object of a real 
discovery. 

The positive side of it all is that, once identified, each 
of those problems can be solved: thanks to these 
discoveries, the security of implementations has in- 
creased over the years. Another good piece of news 
is that, in spite of serious scrutinizing, there is no 
hint of a threat that would compromise the secu- 
rity of QKD in an irredeemable way. But there is a 
negative side to it: before being identified, each of 
the problems above represented a serious potential 
breach of security. It is a truism to stress that we 
may not be aware of similar problems, which have 
not been discovered yet. 

We come to the bottom line of this section. We 
believe that this state of affairs cannot be simply 
dismissed with a "there have been examples of bad 
design of the device". At any stage of development, 
the devices were actually carefully designed; the se- 
curity claims of the authors were accepted as valid 
by referees and colleagues. Neither now, nor at any 
later time, will one be able to guarantee that the 
devices in use are provably good. And it is certainly 
not a good idea to close one's eyes, invoke the laws 
of physics and dump on them a responsibility they 
cannot possibly bear. 



D. On the use of security proofs 

We conclude this section with yet another series of 
concerns. Suppose for a moment that all the possi- 
ble issues related to the implementation are under 
control. Can one finally rest in peace and trust the 
laws of physics? In principle one can, provided all 



the assumptions, under which the security bounds 
were derived, are fulfilled by the implementation. 
Indeed, another dangerous shortcut consists in asso- 
ciating "unconditional security" with "no assump- 
tions" : no assumptions should be made on the power 
of the eavesdropper, but assumptions must be made 
on what Alice and Bob are doing. Here are a few 
examples: 

• Until 2007, only very few experts were aware 
of a huge assumption in security proofs: the 
security bounds were valid only in the limit 
of infinitely long keys! Finite-key bounds are 
now tractable and the stringency of finite-key 
corrections has been duly stressed [29.] . 

• Security proofs always imply a modeling of 
the detection process. For instance, almost all 
the proofs in discrete-variable QKD are based 
on an assumption called squashing: basically, 
whether a detector ends up squashing all the 
complexity of a state of the electromagnetic 
field (the "real thing" ) into a qubit (the thing 
theorists work with). The validity of this as- 
sumption was proved recently for the BB84 
coding ^3^; for other protocols, it remains an 
assumption. 

• The most general theoretical bounds can ac- 
commodate all possible statistics. When 
applied to the study of a practical setup, 
however, simplifying assumptions are usually 
made. For instance, we are aware of only one 
proof, in which the detectors are allowed to 
have different efficiency, which is the case in 
reality [3]| . 

Ultimately, the suitable security bound for an im- 
plementation cannot be found explicitly spelled out 
in a theoretical paper; nor even in an experimental 
paper reporting on a similar implementation. Those 
papers should provide guidance, but each specific 
setup must be the object of a dedicated study — 
whence another element of trust creeps in: one must 
trust the thoroughness of this dedicated study. 



IV. PATHS FOR THE FUTURE 

QKD has evolved from the dreams of childhood to 
the seriousness of maturity. What is the next stage? 
Sure enough, "only time will tell what we will do in 
the future" ^32]. But the facts sketched above, com- 
bined with some tendencies within the QKD com- 
munity, allow a guess of two directions in which the 
field may evolve in the coming years. 
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A. Option 1: reasonable security of a device 

Although they do not provide "security based only 
on the laws of physics" , usual QKD devices provide a 
quite reasonable level of security if implemented with 
technical competence and without false complacency 
on their "quantumness" . After all, couriers of classi- 
cal information must also be trusted; once the trust 
is there, QKD guarantees the incorruptibility of the 
courier during its travel — a guarantee that classical 
information cannot offer. 

Here we have therefore a first possible stance: give 
up claims of ultimate security, find a competitive 
edge and try to produce devices than compare fa- 
vorably with those operating with classical informa- 
tion. It is our impression that some of main actors 
in practical QKD have already taken this stance. 
Apart from technological development, one of the 
main challenges along the way will consist in find- 
ing where exactly the competitive edge may lie — a 
superficial survey of claims may suggest that long- 
distance implementations are one of the goals, but 
in fact QKD does not seem to be a viable solution 
in that regime [33| . 

B. Option 2: device-independent security and 
its price 

Recently, some authors have come up with a new 
class of QKD protocols that come as close as possi- 
ble to the claim of "security based only on the laws 
of physics" . The idea was already present in Ekert's 
1991 seminal paper but went unnoticed for many 
years. The key ingredient is that Bell's theorem is 
independent of quantum physics. As a consequence, 
it is also independent of the details of the physi- 
cal systems under study (its Hilbert space, its state, 
the measurements that are performed). Therefore, 
a protocol that estimates Eve's information through 
the amount of violation of a Bell-type inequality is 
"device- independent" [34] . 

Of course, even the security of device-independent 
protocols is not based only on the laws of physics; 
however, it seems that only those requirements are 
left that are strictly necessary: the eavesdropper 
does not read your data, does not know which mea- 
surements you are going to choose, and the like. A 
comprehensive discussion can be found in Ref. [35j . 
What we want to highlight here is that this level of 
security, arguably the most paranoid one can envis- 
age, comes together with very stringent constraints. 
As an example, we show how device-independent 
protocols have an (almost) intrinsic limitation in 
distance. This stems from the requirement that the 
detection efficiency must be high enough to close 
the so-called detection loophole. Indeed, as soon 
as the fraction of detected pairs falls below a given 
threshold, the observed violation of Bell-type in- 



equality could have been created by pre-established 
agreement: the devices may just contain computers 
pre-programmed by the eavesdropper! In an imple- 
mentation, being impossible to distinguish losses in 
transmission from losses due to the quantum effi- 
ciency of the detector, the threshold gives the value 
of the tolerable total amount of losses. 
How much is this threshold? A thorough study of 
the detection loophole is missing, partly because the 
classification of Bell's inequalities is a hard task in 
itself, and partly because the whole issue was con- 
sidered of limited interest before the idea of device- 
independent QKD came about. It is known that 
there is no finite lower bound: there are explicit ex- 
amples in which the detection loophole can be closed 
with arbitrarily low efficiency [36l |. However, these 
examples use states of very large dimension d and 
a number of measurements that is exponential in d. 
For a QKD protocol to qualify as "practical", the 
number of measurements and of outcomes must be 
kept "reasonable" . The set of inequalities with few 
measurements and few outcomes has been studied 
in great detail (though not in its fullness) and, in 
those cases, the detection threshold is always found 
well above 50% [l^]- For definiteness therefore, let 
us take the value of 50% for the threshold of total 
detection efficiency [s^. 

InGaAs photodetectors in the telecom wavelength 
range have efficiencies below 30% even under the 
most optimistic specifications; none of the imple- 
mentation using those detectors can therefore be 
used for device-independent security. Depending on 
the trust into manufacturer specifications, setups us- 
ing Silicon-APD may just about reach the thresh- 
old on the detector side, but then almost no losses 
can be tolerated in the channel. Assuming detectors 
with 100% efficiency [s^, fiber-optical transmission 
channels without any interconnect losses and with 
the usually quoted (optimistic) attenuation coeffi- 
cient of 0.18dB/km would limit a direct QKD link 
to a distance of 16 km. 

This issue of the distance has been presented as 
an example of how stringent the requirements for 
device-independent security may be. If we believe 
that history repeats itself, further scrutiny will lead 
to identifying further limitations of these very re- 
cent protocols. In other words, it may be premature 
to attach any practical value to device-independent 
QKD; whence the second possible stance that we en- 
visage for the coming years: focus on developing the 
tools (both theoretical and experimental) required 
to demonstrate the ultimate level of security, leaving 
aside, at least temporarily, all claims of usefulness. 



V. CONCLUSION 

We have reviewed the evidence of the fact that QKD 
guarantees security based on the laws of physics pro- 
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vided the implementation is perfect, or more pre- 
cisely, provided all the imperfections of the imple- 
mentation have been characterized and their effect 
is accounted for. Since a thorough check of all pos- 
sible leakage channels is impossible, the security of 
any specific implementation of QKD will always be 
based on some elements of trust. Expressions like 
"security based only on the laws of physics" or "un- 
conditional security" are unfortunate. They may be 
convenient among experts, as part of their technical 
jargon; but when they leak out to larger audiences, 
they almost invariably convey the wrong message 
(the same is true for "device-independent" , though 
fortunately this expression has not reached the gen- 
eral public yet). 

Specifically, we argued that the level of trust for 
usual QKD protocols, like BB84, is not very differ- 
ent from the one demanded of a "trusted courier" 
carrying classical information. Protocols based on 
Bell's inequalities minimize the number of elements 



of trust but come with very stringent requirements. 

Twenty-five years after BB84, the field of QKD 
seems on the point of splitting in two directions: 
(i) the development of prototypes optimized for the 
needs of niche tasks and guaranteeing a "reasonable" 
level of security; (ii) the quest for demonstrating the 
most paranoid level of security, leaving aside, at least 
temporarily, the claim of practical usefulness. 
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